Web Monitor
ReviewAudited by ClawScan on May 11, 2026.
Overview
The skill mostly matches its web-monitoring purpose, but it disables HTTPS certificate checks while claiming secure fetching, so monitored pages and change alerts can be spoofed.
Review carefully before installing. Avoid using it for sensitive or security-critical monitoring unless TLS verification is fixed, use only trusted notification commands, and enable `--hash-only` when monitoring pages whose content should not be saved locally.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone on the network could spoof or alter the monitored page, causing false change detections and any configured notifications to fire.
All HTTPS requests are made with certificate and hostname verification disabled, so the monitor cannot authenticate the site it is watching.
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONEDo not use this for sensitive monitoring until TLS verification is restored; remove the unverified SSL context or make insecure mode an explicit opt-in with a warning.
A poorly chosen notification command could modify files, call external services, or run repeatedly when the page changes.
The notification feature runs the user-provided command through the shell whenever a change is detected.
if args.notify:
os.system(args.notify)Use only simple, trusted notification commands, avoid destructive shell commands, and review any command before running watch mode.
If you monitor a private or internal page and save output, page content may remain in local JSON files.
When output is saved, the script stores the fetched page content unless `--hash-only` is used.
'content': content if not args.hash_only else None
Use `--hash-only` for sensitive pages and store output files in a location with appropriate access controls.